Tom Lane wrote:
Robert Treat <[EMAIL PROTECTED]> writes:
Did you mean s/trust/ident/g, otherwise I don't think I understand the
above...
Both trust and ident local auth are sources of risk for this, although
ident is particularly nasty since the DBA probably thinks he's being
secure.
For that matter, I'm not sure that *any* auth method except password
offers much security against the problem; don't LDAP and Kerberos
likewise rely mostly on process-level identity? And possibly PAM
depending on which PAM plugin you're using?
OK, so following that line of thought, how about:
As a security precaution, dblink revokes access from PUBLIC role
usage for the dblink_connect functions. It is not safe to allow
ordinary users to execute dblink from a database in a PostgreSQL
installation that allows account access using any authentication
method which does not require a password. In that case, ordinary
users could gain access to other accounts via dblink as if they
had the privileges of the database superuser.
If the allowed authentication methods require a password, this is no
longer an issue.
I'm not sure whether this is something to back-patch, though, since
a back-patch will accomplish zero for existing installations.
OK. But it might still be worth doing, along with something in the
release notes.
Joe
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
